Horses, Barn Doors and Ransomware

There is a favorite saying to characterize a situation where the remedy to a problem shows up too late: “It’s like locking the barn door after the horse is stolen.”

When we look at how many user and entity behavior analytics (UEBA) solutions deal with email-borne attacks like spearfishing and ransomware, they focus on “and look how we show you the data leaving your organization” as opposed to “we’ve seen an email that looks like it can lead to an attack.” In other words, “the horse is leaving, good luck.”

While any notification of an attack in progress (or even finished) is necessary for damage control and cleanup, new technologies such as machine learning should do better than that.

Much has been made of the value of machine learning/behavior analytics—often packaged as a UEBA solution—to detect cyber-attacks that have evaded real-time defenses and typically masquerade with legitimate user credentials.

The “E” in UEBA stands for “entity.” An entity can be a user, a host, an application—really any IT actor with an IP address including IoT. Until now, UEBA machine learning has been applied to find small changes in user or host behavior that, when collected over time and put into context, will in aggregate indicate a slowly gestating attack. In other words, a focus on the compromised user or system.

Aruba has expanded the definition of “entity” to now include the attacker with our UEBA product, IntroSpect. Through the use of UEBA machine learning models that focus on the tactics of the exploit, analysts will see these attempts earlier in the kill chain and can take steps to intercept the attacks before they do damage.

This breakthrough came from an exhaustive study of email-based attack campaigns by the IntroSpect threat research team. In a published study, “Using Behavioral Analytics to Detect Malicious Email Campaigns and Targeted Attacks,” five of the most lethal email-targeted campaigns, such as Lokey, PostMoney and Witness, were carefully scrutinized to unearth the tools, techniques or procedures (TTPs) used by attackers. Based on these attack “autopsies,” IntroSpect researchers pinpointed the critical signs of email-based attacks that include:

Name spoofing

Campaign targeting

Origination

Duration

The most important finding of the study is that the same machine learning algorithms that IntroSpect uses to find compromised or malicious insiders can be used on email logs or actual email headers to automatically flag ransomware, spearfishing, whaling, etc.

For example, a typical attack email campaign will attempt to trick a user by spoofing the sender address by replacing an “i” with an “l” or an “o” with a zero or making a small change that is easily overlooked: instead of “IntroSpect”, it would be “InterSpect”. With specially trained machine learning models, IntroSpect can spot these subtle changes and combine them with other attacker behaviors to deliver a reliable, highly actionable alert before files are frozen or data leaves the organization.

According to the 2017 Verizon Data Breach Investigations Report, 95% of phishing attacks that led to a breach was followed by some form of software installation. Of these attacks phishing: Three-quarters were financially-motivated and a quarter was focused on espionage operations. Despite the array of security defenses, email-focused or not, these attacks still get through and are only noticed as data flies fly out or files are corrupted.

IntroSpect has opened a new front in the war on email-borne attacks. By combining the anomalies detected in an attacker’s behavior with other relevant alerts, the doors can be locked and the horses are protected—before the damage is done.